Google finally hides passwords from snoopers in new builds of Chromium

Google's Chrome team recently came under fire for its long-held practice of making saved passwords visible in plain text. If you hand your computer to a friend or leave it unguarded and unlocked, the friend or a passerby could go into Chrome's settings and view any website passwords you've saved without typing in your system password.

Chrome still makes passwords viewable in plain text by default, but the latest build of Chromium for Mac—the open source browser from which Chrome draws its code—gives users a new way to protect their passwords. If you type chrome://flags into the address bar, you'll find this:

If you enable password manager reauthentication and then restart the browser, the next time you view your list of passwords you'll be prompted to enter the system password before being allowed to view them in plain text:

We described Chrome's method of displaying passwords in June in a feature on password management, noting that Firefox allows users to create master passwords to protect their login data from snoopers, while Internet Explorer simply doesn't provide snoopers an easily accessible list of passwords. Safari protects passwords with the OS X password.

Chrome has been doing things this way for years, but a controversy flared up in August after some reporters noticed the browser's method of displaying passwords and wrote about it. Google Chrome security engineer Justin Schuh defended the practice on Hacker News, saying, "The simple fact is that you need to lock your user account if you want to protect your information. If you don't do that, nothing else really matters because it's all just theater and won't actually stop anyone willing to invest minimal effort."

The new option to protect passwords in Chromium was contributed to the browser project two weeks ago by Google employee and Chrome developer Patrick Dubroy. The feature gained some wider attention after being described this morning on Google+ by Google employee François Beaufort. It seems to only be available on the Mac version of Chromium for now, but this may be the first step toward adding the protection to the main builds of Chrome. We've contacted Google to see if it will disclose any plans for adding the feature to Chrome, but we haven't heard back yet.

Promoted Comments

The security theatre argument only works if users are aware of the security implications of storing passwords in browswers and respond by using better security practices. However, many users aren't and don't, and I think this would help defend against the most casual snooping in practice.

51 Reader Comments

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

If I'm logged onto your computer I can just use an app to rip all the passwords anyway.

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

Actually I thought Google's response was spot on. This new feature is just security theater. You certainly should not be retaining any important passwords in the browser. Ok for forums, not so good for banking.

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

If I'm logged onto your computer I can just use an app to rip all the passwords anyway.

This is security theatre.

Do they at least get the file permissions correct so that I can't rip everyone else's chrome stored passwords on a machine I'm logged into?

The security theatre argument only works if users are aware of the security implications of storing passwords in browswers and respond by using better security practices. However, many users aren't and don't, and I think this would help defend against the most casual snooping in practice.

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

If I'm logged onto your computer I can just use an app to rip all the passwords anyway.

This is security theatre.

So now, instead of literally just looking in the right place, you have to use software.

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

Actually I thought Google's response was spot on. This new feature is just security theater. You certainly should not be retaining any important passwords in the browser. Ok for forums, not so good for banking.

The problem I have with Google's attitude is that it ignores two facts:

1. Chrome should not be offering to remember passwords at all IMHO, given the low priority they place on securing them--leave that to plugins like lastpass.

2. By Google's definition ("won't actually stop anyone willing to invest minimal effort"), ANY software countermeasures could 'security theater.' When an attacker has physical access to your computer, 'minimal effort' is all it takes to copy critical files and break into them using easily available software.

Actually I thought Google's response was spot on. This new feature is just security theater. You certainly should not be retaining any important passwords in the browser. Ok for forums, not so good for banking.

On OS X Chrome doesn't store the passwords anyway, the passwords are stored encrypted in the login keychain by the Keychain service. If your login keychain is locked you have to use your password to unlock it before Chrome can use a password.

So at least on Macs anyone who really cares about this particular bit of security theatre could have simply set their login keychain to auto-lock, or lock it manually from the menu. Also there are existing Keychain options to lock after X minutes of inactivity, or when sleeping, and to disable automatic unlocking when logging in. In fact with Keychain you can set per password settings, so for example a banking password could ask for your account password (or a custom keychain password) upon every use.

All this new option does is force something that anyone who really cared about it could already have done.

If you are already logged into your PC and browser, allow Joe Blow to sit down and click "show passwords" . . . you deserve what you get.

If you close your browser, or make him log in as a guest account, then how hard does he have to work? Believe it or not, a lot malicious people out there (shitty roommates, family members you can't get rid of, etc. etc.) do not know how to install malware and use it against you, and you may be able to predict this with some accuracy.

If the police steal your computer while it is powered down and hand it to their forensics guy, will the password list be encrypted, or will it be free to use?

If a skilled attacker (possibly even a meatspace intruder) tampers with my device, then waits for me to use it to decrypt my password list, well, what am I going to do about that anyway? They could have just waited for me to type in any of my passwords for the millionth time.

On OS X Chrome doesn't store the passwords anyway, the passwords are stored encrypted in the login keychain by the Keychain service. If your login keychain is locked you have to use your password to unlock it before Chrome can use a password.

If Chrome doesn't store the passwords how can they be synced across devices?

On OS X Chrome doesn't store the passwords anyway, the passwords are stored encrypted in the login keychain by the Keychain service. If your login keychain is locked you have to use your password to unlock it before Chrome can use a password.

If Chrome doesn't store the passwords how can they be synced across devices?

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

If I'm logged onto your computer I can just use an app to rip all the passwords anyway.

This is security theatre.

I'm tired of comments like this one about security theatre on this topic. The reason why is because of a latent assumption that only people on this type of forum can make: you assume that most thieves are as sophisticated and smart like we are. Why lock the passwords, when thieves can run a tool that they downloaded from a 2 minute search on Google and do the same thing? Here's the thing though: some thieves would never think of doing that!

Of course this is security theatre! Nothing in this world is absolutely secure. Nothing. But we can erect login boxes and stuff to deter thieves. Theatrics? Yes. But theatrics can aid in security, sir. The lock on my apartment door is theatrics too. I admit it. A trip to the hardware store for certain tools is all it will take to get in. But it works quite well for a wide variety of cases, like keeping my neighbors out.

By putting a password box like the one described in this article, this will create yet another obstacle to prevent snoopers. Foolproof, no. But better than nada.

Chome can access them, as can any application with the approrpriate permissions. So for example Safari and Chrome can share internet passwords. But the storage is done by Keychain.

When passwords are synced to another device obviously they need to traverse Google's systems, but remember you can set another synchronisation password, so that they never get sent to Google as plaintext.

Is it only me or did chrome development progress stalled recently? I dont remember when was the last time they added any important feature. People have been asking for years to have Reading View (especially on mobile devices). How difficult is it to add it? All other browsers have it. There are more requested features and nothing is being done about them. These days their progress developing chrome is so poor that even a non-feature like this weak password protection warrants an article in Ars.

If I'm logged onto your computer I can just use an app to rip all the passwords anyway.

This is security theatre.

This is not true, at least under OS X. Applications can only read the Keychain entries (passwords) that they created, unless the user authorizes them to read other entries.

The passwords Chrome was exposing were entries that Chrome had created. Basically, Chrome was leaving the front door unlocked after it had come in.

This is the basis of my assumptions. I suppose I'm in the habit of assuming saved passwords are stored individually with AES-128 encryption using a master key known only to the user. This is how Keychain and 1Password and others work, at least as far as I understand.

It would be security theater only if the passwords were actually stored in plaintext anyway, so I think I take Pizza's point, but that leads me to an even more alarming conclusion.

What sensible password-storage system isn't already using encryption to store each password in such a way that a master key of some kind is required?

In any case, I don't quite follow a "who cares, it's security theater" response… surely storing them in plain text and washing your hands of it is less preferable to storing them with some kind of encryption. Am I being obtuse?

If you are already logged into your PC and browser, allow Joe Blow to sit down and click "show passwords" . . . you deserve what you get.

If you close your browser, or make him log in as a guest account, then how hard does he have to work? Believe it or not, a lot malicious people out there (shitty roommates, family members you can't get rid of, etc. etc.) do not know how to install malware and use it against you, and you may be able to predict this with some accuracy.

If the police steal your computer while it is powered down and hand it to their forensics guy, will the password list be encrypted, or will it be free to use?

If a skilled attacker (possibly even a meatspace intruder) tampers with my device, then waits for me to use it to decrypt my password list, well, what am I going to do about that anyway? They could have just waited for me to type in any of my passwords for the millionth time.

Ooh Ooh! I got one… what if you wake up in a damp concrete cell, tied to a chair, and Jack Bauer comes in and demands to know your passwords with a knife to your kneecap!

I guess if you don't bury your laptop in a vault under tons of concrete every time you step away from the computer and are willing to pay with your life to protect your password to Facebook, you get what you deserve!

Or, just store the damn password list with some kind of encryption using a master key. Either way.

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

Actually I thought Google's response was spot on. This new feature is just security theater. You certainly should not be retaining any important passwords in the browser. Ok for forums, not so good for banking.

I hope you mean I should be using a password manager instead of Chrome's apparently shitty password manager, or that Chrome should have a better password manager than the shitty one it has now. Storing passwords has been pretty thoroughly vetted as a practice by, I dunno, dozens of articles on this very site…

For people who initially wrote this off as a non-issue, let me offer this scenario:

Say someone wants to login to my Facebook account but has only seconds to do so before I return from the bathroom. Instead, they quickly look up my username and plain text password and walk away from the computer. Later, at their own computer, they have everything they need from a quick 10 second session at my own computer.

Exposing the passwords without initial authorization was/is bad security. Glad to see this being addressed.

It would be security theater only if the passwords were actually stored in plaintext anyway, so I think I take Pizza's point, but that leads me to an even more alarming conclusion.

What sensible password-storage system isn't already using encryption to store each password in such a way that a master key of some kind is required?

In any case, I don't quite follow a "who cares, it's security theater" response… surely storing them in plain text and washing your hands of it is less preferable to storing them with some kind of encryption. Am I being obtuse?

The Chrome dev's argument had been that by giving somebody access to your PC while logged in, you are giving them access to your private key. Therefore, an extra UI prompt inside of chrome doesn't add security because the key is already in the attackers possession. The counter-argument is that most 'casual' attackers don't realize they have the key already, and so would only be able to get to the passwords through the Chrome UI.

To the best of my knowledge Chrome has always used Keychain on OS X, and so is as secure, or not, as any user wants. As to settings syncing it is A) opt-in, B) encrypted with Google account credentials, and C) can optionally use an entirely seperate password so that Google can't "see" the plaintext.

Google's beef seems to be that if you let someone else use your account, and your keychains is unlocked you are already asking for trouble, and so hiding the passwords in Chrome's settings pane is at best a minor inconvenience for a would be troublemaker, and at worst gives a false sense of security.

So you trust someone enough to give them your computer logged into your user but don't trust them enough to go through your saved website passwords?

That's not the point. There are many cases for colleagues or stranger to access a laptop when one goes off to make a coffee and the person is too lazy to lock the computer.

Quote:

Google Chrome security engineer Justin Schuh defended the practice on Hacker News, saying, "The simple fact is that you need to lock your user account if you want to protect your information. If you don't do that, nothing else really matters because it's all just theater and won't actually stop anyone willing to invest minimal effort."

But it decrypts them as soon as you start the browser, at least by default, because it can fill in Web forms automatically without needing a master password.

Ah, it's been a few years since I used Firefox with a master password.. But, while setting a master PW is optional, and not the default; I'm quite sure that if set, you had to give the master PW before Firefox could use the saved passwords.

I see Google's point of view that there are other and better options for securing passwords (like OSX keychain), but right now there's isn't an equivalent for Windows (at least not as complete).

I take computer security seriously, and I'm using KeePass instead for storing my passwords, as this is one free tool that I know is on multiple operating systems, and is easily syncable between systems. So far it's not been a big hassle, but it's still not as convenient than having the system to fill out for login forms for me automatically (security and convenience are very hard to have at the same time).

But for your information, indeed your passwords are stored on Google servers, but they are encrypted with a security certificate that is tied to your account, which can only be used with your private key (your actual Google password). So even though Google has the encrypted password and the security certificate, they cannot get those without your password, which is also hashed on their end.

One thing that some people don't think about is that Chrome provides password syncrhonization. As a poster above pointed out, 10 seconds unattended use is enough for someone to get that Facebook page and wreak havoc / find things out. But if they used that 10 seconds to get your Google account password, they can go home, install Chrome sync it to your Google account and bring down all the other passwords for everything else, all for their viewing pleasure.

I thought when I read the headline this would be the end of it but no - they've left it off by default!

IE actually has a way to show stored passwords, it works very much like the Keychain in OS X. In Control Panel, Credential Manager you can view your stored website passwords. And yes, it does prompt for your user account password before showing them (and this does not appear to be dependent on UAC).

Chrome uses the OS-provided password encryption mechanism. On the Mac they use Keychain, on Windows they use whatever that encryption API is (using the user's system password), and on Linux...I don't know what they do there. There's no change in using these, they've done so for years. Syncing is done with encryption (using a custom passcode if you want, or with just your sync password by default), and is possible because of course Chrome already has access to the entries it created.

Second, this is just security theater, though as people have pointed out before, a small bump in the road does slow down your best mate who apparently wants to spy on you and you've stupidly given unrestricted access to your machine. It doesn't slow them down much if they're more than passingly curious, however, and they don't need time or special software to still access things.

Any browser that has access to OS-encrypted passwords and uses them has a copy of an unencrypted password at some point, obviously, if only just to pass it on to the website. If your friend just visits facebook.com, they can just copy the password out of the password box, either directly or in the developer tools. This works in Firefox and Safari as well. That's why this is security theater. With this method (and a few others), you might not have a list of passwords which you can slowly copy and paste, but you can still visit each site on that list and copy the password field of the site itself. It won't take that much longer, and if you're after one or two sites (facebook or gmail or whatever), it's probably faster to do that in the first place.

This is all to be expected. You logged into your OS account, and you previously authorized the browser to access your OS password store (especially on the Mac, where it explicitly makes you enter your password to always give the browser access to the Keychain).

However, that list of passwords isn't just staring at you any more, so it's probably worth adding this small feature to ease minds. Just make no mistake that if you can visit a website and log in without entering a password, that means that the browser sent a password to that site, which means that someone can get it , "master password" or no -- because you already gave them unrestricted access to your machine.

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

If I'm logged onto your computer I can just use an app to rip all the passwords anyway.

This is security theatre.

I'm tired of comments like this one about security theatre on this topic. The reason why is because of a latent assumption that only people on this type of forum can make: you assume that most thieves are as sophisticated and smart like we are. Why lock the passwords, when thieves can run a tool that they downloaded from a 2 minute search on Google and do the same thing? Here's the thing though: some thieves would never think of doing that!

Of course this is security theatre! Nothing in this world is absolutely secure. Nothing. But we can erect login boxes and stuff to deter thieves. Theatrics? Yes. But theatrics can aid in security, sir. The lock on my apartment door is theatrics too. I admit it. A trip to the hardware store for certain tools is all it will take to get in. But it works quite well for a wide variety of cases, like keeping my neighbors out.

By putting a password box like the one described in this article, this will create yet another obstacle to prevent snoopers. Foolproof, no. But better than nada.

I agree with the sentiment of your post, but disagree with your implied definition of security theater. My definition of security theater is:

1) Provides the appearance of security2) Can easily be worked around or overridden by all but the most simple of people3) Causes great inconvenience to the honest people subject to itORTakes great effort to implement

I use the TSA as the standard for security theater, but much of the government likes security theater because someone has to get paid to put that security together, and what better way to make money than on a porkbarrel project that has few or flawed metrics. This is a switch in Chrome, I seriously do not believe it took a huge amount of effort to create because a) it takes more than a little effort to turn on and b) it came about soon after the "scandal" hit the news. It's also not causing a huge inconvenience to the people who will use it. So it's really not security theater, at least by this definition.

Showing passwords in plain text without requiring authentication and authorization to do so is just weak security. Being logged into the computer is particularly insufficient protection for web passwords, which increasingly secure much more powerful resources.

Is the problem that only OS X provides a way for apps to demand a password in a way that can't be disabled as with UAC? (Edit: by this I mean, can't use Google account if people aren't signed in to Google, don't want to force users to create yet another master password, can't depend on the OS to provide some kind of credentials… so is it a matter of deciding where the master password should come from?)

Actually I thought Google's response was spot on. This new feature is just security theater. You certainly should not be retaining any important passwords in the browser. Ok for forums, not so good for banking.

I hope you mean I should be using a password manager instead of Chrome's apparently shitty password manager, or that Chrome should have a better password manager than the shitty one it has now. Storing passwords has been pretty thoroughly vetted as a practice by, I dunno, dozens of articles on this very site…

No, I mean use the shitty password manager in the browser. Use security to the degree of its importance. I really don't care if someone impersonates me on a forum. Well I care enough to say "Hey, cut that crap out, d-bag." If somebody used my Amazon account, ordered a Fleshlight then gave a review in name, I would care more. For finances, I have RSA keys, because I really care about security when it costs me money.

Steve Gibson and Leo Laporte covered this Chrome story on Security Now months ago and kind of laughed it off with the attitude "This is news?"

If I'm logged onto your computer I can just use an app to rip all the passwords anyway.

This is security theatre.

Firefox claims to encrypt the passwords with the master password.

But it decrypts them as soon as you start the browser, at least by default, because it can fill in Web forms automatically without needing a master password.

Other form elements, yes. Passwords, no. It can't fill any passwords until you put in the master password. (once per session, admittedly, unless you change to every time or lock after x minutes with about:config security. ask_for_password).

I guess I have to accept that I'm in the minority for choosing "better approach" over "worse approach" when given a choice of how to implement a password storage mechanism.

If everything in my user account is so secure just by being protected by my user account credentials, I suppose I may as well save all my passwords in text files on my desktop and quit wasting my life.

It seems counter to decades of wisdom about things like concentric security layers and not making assumptions about who has access to what and limiting the scope of a potential uncontemplated intrusion, but what do I really know?

But for your information, indeed your passwords are stored on Google servers, but they are encrypted with a security certificate that is tied to your account, which can only be used with your private key (your actual Google password). So even though Google has the encrypted password and the security certificate, they cannot get those without your password, which is also hashed on their end.

I understand how they do it but again, they have your private password file and it is secured with a password and certificate they know and use regularly when you log-in to your account.

They literally have all of the pieces necessary to read the passwords on their servers and who is calling who a security theater?

There is no reason why the password file cannot be locally encrypted with a password not stored on Google's servers anywhere, like Firefox.